Differences between revisions 5 and 6
Revision 5 as of 2004-10-26 05:29:08
Size: 2035
Editor: UlfLamping
Comment: move UDP PacketLoss information to the appropriate page
Revision 6 as of 2008-04-12 17:50:14
Size: 2035
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
If a sending host thinks a packet is not transmitted correctly because of a PacketLoss, it might ["Retransmit"] that packet. The receiving host might already got the first packet, and will receive a second one, which is a duplicated packet. If a sending host thinks a packet is not transmitted correctly because of a PacketLoss, it might [[Retransmit]] that packet. The receiving host might already got the first packet, and will receive a second one, which is a duplicated packet.
Line 9: Line 9:
ConnectionOrientedProtocols such as ["TCP"] will detect duplicate packets, and will ignore them completely. ConnectionOrientedProtocols such as [[TCP]] will detect duplicate packets, and will ignore them completely.
Line 11: Line 11:
ConnectionlessProtocols such as ["UDP"] won't detect duplicate packets, because there's no information in, for example, the UDP header to identify a packet so that packets can be recognized as duplicates. The data from that packet will be indicated twice (or even more) to the application; it's the responsibility of the application to detect duplicates (perhaps by supplying enough information in ''its'' headers to do so) and process them appropriately, if necessary. ConnectionlessProtocols such as [[UDP]] won't detect duplicate packets, because there's no information in, for example, the UDP header to identify a packet so that packets can be recognized as duplicates. The data from that packet will be indicated twice (or even more) to the application; it's the responsibility of the application to detect duplicates (perhaps by supplying enough information in ''its'' headers to do so) and process them appropriately, if necessary.
Line 26: Line 26:
 '''Q:''' Is it possible to turn off the display of duplicate packets? Over 25% of the packets for many of my TCP scans are duplicates. I must decode the traffic of the systems now, before the network engineers have had time to flush out the congestion causes.[[BR]]  '''Q:''' Is it possible to turn off the display of duplicate packets? Over 25% of the packets for many of my TCP scans are duplicates. I must decode the traffic of the systems now, before the network engineers have had time to flush out the congestion causes.<<BR>>

Duplicate Packets

Duplicate packets are an often observed network behaviour.

A packet is duplicated somewhere on the network and received twice at the receiving host. It is very often not desireable to get these duplicates, as the receiving application might think that's "fresh" data (which it isn't).

If a sending host thinks a packet is not transmitted correctly because of a PacketLoss, it might Retransmit that packet. The receiving host might already got the first packet, and will receive a second one, which is a duplicated packet.

ConnectionOrientedProtocols such as TCP will detect duplicate packets, and will ignore them completely.

ConnectionlessProtocols such as UDP won't detect duplicate packets, because there's no information in, for example, the UDP header to identify a packet so that packets can be recognized as duplicates. The data from that packet will be indicated twice (or even more) to the application; it's the responsibility of the application to detect duplicates (perhaps by supplying enough information in its headers to do so) and process them appropriately, if necessary.

Reasons

For most networks, duplicate packets is a typical behaviour, e.g. this will happen if the sending side transmitted a packet correctly, but think it wasn't received at all.

Sometimes, defective hardware/software simply duplicates packets.

Troubleshooting

If the network is configured correctly, there's not much that can be done against duplicate packets as this is a somewhat "intended" behaviour.

Discussion

  • Q: Is it possible to turn off the display of duplicate packets? Over 25% of the packets for many of my TCP scans are duplicates. I must decode the traffic of the systems now, before the network engineers have had time to flush out the congestion causes.
    A: Try using

     not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission

    (or some subset therein) as a display filter. - Gerald Combs

DuplicatePackets (last edited 2008-04-12 17:50:14 by localhost)